On Wed, 2008-01-02 at 08:15 -0600, Les Mikesell wrote: > Rob Owens wrote: > > > > I particularly like the use of " " as a directory name. Nice and > > invisible. Also note that the invader put his files in two directories > > which have the "sticky" bit set: /dev/shm and /var/tmp > > > > In the end, it seems that all the invader succeeded in doing was a bunch > > of port-scanning. The OS is going to be re-installed anyway, just to be > > safe. > > It is probably looking for additional systems to compromise, and may > have reported itself back to some controlling system. > > > Are there any organizations out there that this should be reported to? > > (For instance, the way one might send reports to an antivirus group or a > > content filtering group). Run a tool like rootkithunter (http://rkhunter.sourceforge.net/) to see if it is a know setup (most are as they are run by "script kiddies" and not the black hat pros that write them). If the system is a K12LTSP box, rpm -Va will check the integrity of every package installed and report if the config or binary has been changed. This is a good start for production machines that really can't be whisked offline for a wipe and rebuild. > > There is quite a lot of ssh password guessing going on over the > internet. If you have systems with the ssh port exposed, you can expect > to see a few hundred attempts a day I have seen systems that are hit thousands of times a day. Tools like sshdfilter will do great things like block the attacker with an iptables rule after a set number of failed logins. Sometime moving ssh to a port other than 22 will help, but the "security through obscurity" arguments arise here (i.e. - it only lasts until someone port scans and finds the new port number). > in the logs - a slow enough rate > that you might not notice but the attackers are probably spreading their > attempts over thousands of systems. There are some packages that watch > the logs and firewall addresses with repeated failed attempts but none > are included in the distribution. > > -- > Les Mikesell > lesmikesell gmail com > > _______________________________________________ > K12OSN mailing list > K12OSN redhat com > https://www.redhat.com/mailman/listinfo/k12osn > For more info see <http://www.k12os.org> > -- James P. Kinney III CEO & Director of Engineering Local Net Solutions,LLC 770-493-8244 http://www.localnetsolutions.com GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney localnetsolutions com> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
Attachment:
signature.asc
Description: This is a digitally signed message part